Service 02
Internal
Audits
Independent, expert-led internal audits across 13 defined processes. One-off or as a structured annual programme that satisfies your certification body requirements.
Two Options
Choose Your
Engagement Format
Option A
Loose Audit
A standalone internal audit of one or more specific processes. Ideal for targeted assurance, pre-external-audit checks, or addressing a specific area of concern identified by management.
- Choose one or more of our 13 defined processes
- Structured audit report with findings by severity
- Management summary ready for board presentation
- Remediation plan with owner and timeline for every finding
- Turnaround typically 2β4 weeks from kick-off
Option B
Most Popular
Audit Programme
Annual structured programme covering all 13 processes. Satisfies ISO 27001 certification body requirements for internal audit completeness. Year-on-year trend data included.
- All 13 processes audited across the year
- Planned audit schedule agreed upfront
- Full audit reports and management summaries per audit
- Year-on-year trend reporting
- Certification evidence pack compiled annually
- Preferred pricing vs individual loose audits
Audit Scope
13 Defined Processes
Every audit is structured around 13 pre-defined process domains β each with a standardised template, evidence checklist, and scoring methodology.
ποΈ
Process 01
Governance & Leadership
Top management commitmentIS policyRoles & responsibilitiesManagement reviewsContinual improvement
β οΈ
Process 02
Risk Management
Risk methodologyRisk assessmentsTreatment plansStatement of ApplicabilityInternal audit
π
Process 03
Policies & Compliance
Policy suiteLegal/regulatory registerGDPR/privacyAcceptable useSoftware licensing
π
Process 04
Identity & Access Management
Access controlJoiner-mover-leaverMFAPrivileged accessAccess reviews
π
Process 05
Network & Infrastructure
Network architectureSegmentationFirewallsAsset inventoryCloud network controls
π»
Process 06
Endpoint & System Security
MDMEDREncryptionPatchingVulnerability scanning
ποΈ
Process 07
Security Operations & Monitoring
LoggingSIEMThreat detectionAlerting
π¨
Process 08
Incident Management & BCM
Incident responseNIS2 reportingBusiness continuityDisaster recovery
π
Process 09
Data Protection & Privacy
Data classificationEncryptionRetentionBackupPrivacy controls
π€
Process 10
Supplier & Third-Party Security
Vendor riskContractsThird-party accessSupply chain
π’
Process 11
Physical Security
Facility accessSecure areasEquipment protection
π₯
Process 12
People & HR Security
ScreeningOnboarding/offboardingAwareness trainingDisciplinary process
βοΈ
Process 13
Secure Development
Secure SDLCCode reviewTestingChange management
Compare Options
Loose Audit vs
Audit Programme
| Feature | Loose Audit | Audit Programme |
|---|---|---|
| Scope | 1 or more selected processes | All 13 processes, planned annually |
| Schedule | One-time engagement | Structured annual schedule agreed upfront |
| Audit report per audit | β | β |
| Management summary | β | β |
| Remediation plan per finding | β | β |
| Year-on-year trend reporting | β | β |
| Certification evidence pack | β | β |
| Preferred annual pricing | β | β |
Every Audit Delivers
Clear Findings.
Actionable Outputs.
π
Audit Report
Structured findings classified by severity: Critical, Major, Minor, Observation. Plain language, no jargon. Evidence references for every finding. Executive summary your board reads in 5 minutes.
πΊοΈ
Remediation Plan
For every finding: a recommended corrective action, suggested process owner, effort estimate, and proposed completion date. Actionable from day one without additional consulting time.
π
Management Deck
Board-ready presentation summarising scope, key findings, risk exposure, and priority actions β plus year-on-year improvement trajectory for annual programme clients.
Common Questions
Internal Audit FAQ
How long does a loose audit take?
Typically 2β4 weeks from kick-off to final report, depending on the number of processes in scope and the availability of your staff for interviews. We agree the timeline before starting.
Can you audit us if we are not ISO 27001 certified?
Yes. Our internal audits assess your controls against best practice, not necessarily against a specific certification standard. Many clients use loose audits to understand their security posture before committing to a certification programme.
Who conducts the audits?
All audits are conducted by qualified ISO 27001 Lead Auditors with real-world audit experience. We do not use junior consultants unsupervised. You know exactly who will be auditing you before we start.
Does a third-party internal audit satisfy our ISO 27001 requirement?
Yes. An internal audit conducted by a third party satisfies ISO 27001 clause 9.2. Many certification bodies prefer third-party internal audits as they are more independent than self-conducted audits. Our programme is specifically designed to meet certification body requirements.
What if our processes are immature β will the audit produce only failures?
Audits against immature processes do produce more findings β but that is the point. Every finding comes with a prioritised remediation recommendation. The audit report becomes a roadmap for improvement, not just a scorecard.
Ready for an
Honest Assessment?
Request a loose audit or discuss an annual programme. We respond within one business day.